TUCoPS :: Privacy :: priv_314.txt

Privacy Digest 3.14 7/16/94

PRIVACY Forum Digest      Saturday, 16 July 1994       Volume 03 : Issue 14

          Moderated by Lauren Weinstein (lauren@vortex.com)
            Vortex Technology, Woodland Hills, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS 
	New National ID Card Proposal (David Banisar)
	PrivacyGuard/CUC Int'l, Inc. (William E. Carroll)
	Privacy & "Discovery" (N. R. Sterling)
	Re: Newsgroup censorship (Marc Horowitz)
	USACM Calls for Clipper Withdrawal (US ACM, DC Office)
	ACM Releases Crypto Study (US ACM, DC Office)
	Re: Thank you, France Telecom (Peter Kaiser)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------

VOLUME 03, ISSUE 14

   Quote for the day:

	"Pardon me boy, is this the Transylvania station?"

			-- Dr. Frederick Frankenstein (Gene Wilder)
			   "Young Frankenstein" (1974)

----------------------------------------------------------------------

Date:    Tue, 12 Jul 1994 20:11:46 -0500
From:    David Banisar <Banisar@epic.org>
Subject: New National ID Card Proposal

CBS Evening News just reported that Clinton has "tenatively signed off"
on a National ID card recommended to him by a commission on immigration 
reform. The obstensive reason for the card is for employment and immigration. 
Each card will contain a name, photo, mag stripe with info and a "verified 
SSN." It was supported by Senator Alan Simpson of Wyoming, a long-time 
supporter of id cards. Gov. Pete Wilson of California has apparently offered 
to make California a test-bed for the proposal.  The proposal was opposed by 
Xavier Beccera, a Congressman from California.  A previous effort to impose a 
national id card was rejected by Congress in 1986.

EPIC is working with Privacy International to investigate this report. PI has 
led successful campaigns aginst national id cards in Australia, New Zealand, 
and the Phillipines. 
  
In Australia, the PI-led campaign led to the dissolution of both houses of 
the federal Parliament in 1987 after hundrends of thousands marched in 
protest. The Australian campaign brought together groups from all parts of 
the political spectrum from the Communist Party to the Libertarian Alliance, 
farmers and conservation groups, rock stars, academics, large businesses such 
as banks and mining corporations, but the overwhelming support came from the 
public who created the biggest civil protest in Australian history.

David Banisar (banisar@epic.org)
Electronic Privacy Information Center
666 Penn. Ave, SE #301, Washington, DC 20003
202-544-9240 (v) 202-547-5482 (f)

   [ I would urge avoiding emotional reactions to this report until such
     a time as it has been verified as fact and the details of any proposal
     and/or related proposed legislation are known.  -- MODERATOR ]

------------------------------

Date:    Fri, 08 Jul 1994 14:27:24 EDT
From:    NGMF93A@prodigy.com  (MR WILLIAM E CARROLL)
Subject: PrivacyGuard/CUC Int'l, Inc.

I've received a solicitation from CUC International, Inc., of Trumbull, CT,
which is apparently related to my GTE Mastercard. Essentially, they're
selling a $49 annual membership in PrivacyGuard. They will provide 4
things: 1) Your credit report, 2) Your driving report, 3) Your social
security record, & 4) Your medical history (disclosing who has asked to see
this file). I know that I can get my credit report free from TRW, my
driving report from the state, my social security record from the Fed.
gov't., without spending $49. What intrigues me, however, is the
availibility of the medical file. How does one go about obtaining a copy of
his medical file?

   [ There appears to be a very large Mastercard related solicitation for
     "PrivacyGuard" in progress nationwide.  The "medical file" they're
     referring to is apparently at least one of the medical insurance
     intercompany databases which relate to medical
     claim history.  -- MODERATOR ]

------------------------------

Date:    Sat, 02 Jul 1994 06:40:00 -0500 (EST)
From:    NRSST5@vms.cis.pitt.edu
Subject: PRIVACY & "DISCOVERY"


			PRIVACY & "DISCOVERY"

	Most people equate the term "discovery" with expressions such
as, "Eureka!"  Indeed, in the everyday, non-legal world both words
more often than not have a salutary connotation.

	In the nether world of litigation, however, the word discovery
takes on a more ominous meaning.  There in the twilight zone of motions,
pleadings, body attachments, executions, appeals, petitions, and the like,
stands the spector of "Discovery," looming larger in some cases than in
others, but always loitering in the background, available as a powerful
tool capable of prying loose closely guarded secrets that most prudent
people would deem private and inviolate.

	While this paper is not intended to be all encompassing, nor is
it intended to provide or replace professional advice which should be
sought for details concerning any specific jurisdiction, it will
nonetheless set forth a few examples of privacy invasion through the
legal process known as "discovery" in order to provide a springboard
for further research by those who may be inclined to do so.

	To begin, telephone records are often the subject of discovery.
A subpoena is obtained (either free, in Federal Court, or for a nominal
fee of a dollar or so in State Court) and served upon the telephone
company, setting forth a deposition date, i.e., a date in which the
telephone company must appear and turn over any telephone records
designated in the subpoena.  Usually these records consist of any notes
made in the billing and service departments by telephone company
personnel during their conversations with the subscriber.  The records
also include a copy of any initial application made by the subscriber
together with copies of the subscriber's bills.  These bills generally
include the precise times and telephone numbers of every single toll
call placed through the use of the subscriber's telephone or phone
credit card during the past five (5) years, and sometimes longer.

	Next, discovery of bank records follows pretty much the same
process, and produces the customer's account application, including
social security number, together with the records of each and every
transaction with the bank since the account was opened.  If it is a
checking account, the bank is required to produce copies of every
check processed, front and back, together with copies of every money
order, check or draft deposited to the account.

	With such information in hand, the telephone records may be
examined in the light of the subscriber's toll calls, and each number
listed as a number called on such toll records may then be subjected
to further discovery or other routine forms of investigation, 
determining the identity of the subscriber of each toll listed number
and what their relationship is to the subject of the initial discovery.

	The details gleaned from such labors are then combined with the
results of any investigation concerning each payee and each endorser of
every check, which reveals among other things, who the bank customer
pays money to, e.g., credit card companies (with credit card numbers
usually appearing on the memo line, written by the unsuspecting maker of
the check), personal loan payements, grocery store bills, car payments,
magazine subscriptions, allowance money for kids in college, and whatever
else the checks may have been written for.  The checks also often include
driver's license or other personal identification information written on
the backs by the merchants who cash them.         

	Now even the slovenly investigator can set up phone banks for the
purpose of contacting all of the persons and places enumerated above, and
can do so with ease, building piece by piece a profile of the telephone
subscriber and bank customer and using such information to harass the
subject's friends and family and business associates under the guise of
discovery.  Deep pocket litigators especially can run roughshod over the
rights of most people, who are usually unable financially to mount and
maintain a monumental defense or even secure a protective order from the
court.  Indeed, in many instances sub rosa machinations are employed
without the victims even being aware that such discovery procedures
have been used against them.

	While this paper touches only a few surface aspects of legal
discovery vis-a-vis privacy invasion, the information is provided
as a tocsin to alert those with an interest in such matters to do
further study on the subject in order to better protect their own
privacy interests.

	(c) 1994 N. R. Sterling
	    IN%"nrsst5@vms.cis.pitt.edu"

	Electronic distribution rights only are hereby granted to
Privacy Forum.  Readers seeking further information may contact the
author directly at the above email address.

------------------------------

Date:    Sun, 03 Jul 94 20:06:07 EDT
From:    Marc Horowitz <marc@MIT.EDU>
Subject: re: Newsgroup censorship

>> What is the basis for viewing the entire constellation of Usenet newgroups
>> as a single entity, which one must take whole (alt.sex.bestiality along with
>> sci.physics.research) or not all?  The only thing the two have in common
>> is the technology used to deliver them - about what Physical Review Letters
>> and Spread Legs have in common.

A different view is that censoring particular newsgroups requires some
effort (not much, certainly, but some).  I would not say that a school
should be required to seek out every single newsgroup it can find, nor
should it be required to carry traffic which strains its resources
(alt.binaries.pictures.erotica vs alt.sex.stories), but a university
should not actively remove certain newsgroups from circulation.

A similar analogy might be the telephone system here at MIT.  A
student cannot call a 900 number from a dorm phone, but can call 800
numbers.  The phone system here could be programmed to disallow
students from calling certain 800 numbers advertised on late-night TV,
but this is not done.  I think this behavior could be compared to a
policy of not carrying certain newsgroups, and both would be wrong.

		Marc

  [ Response from the MODERATOR:

    I think that the original analogy holds up pretty well.  I'll bet
    the magazine rack down at the MIT bookstore doesn't carry the same wide
    variety of sex-oriented magazines probably available at public
    stands within feet of campus.

    The choice of "publications" which are appropriate to a particular
    venue can most certainly be legitimately contrained by concerns
    other than volume.  The fear of public outcry over "University
    providing pornography to students over campus computer
    system--government funds being used to promote pornography!" is a
    real one, regardless of how one feels about the topic personally.

    Censorship does not enter the picture automatically when you can't get
    everything, everywhere.  Individuals can always get their own accounts
    on public systems, and choose service providers willing to carry such
    material--just as they can go to public bookstores and magazine racks
    rather than the ones on campus.

    When materials which are legal to distribute become unavailable in a
    manner which makes them difficult or impossible to get at all, *then*
    censorship indeed can become a significant factor.

    -- MODERATOR ]

------------------------------

Date:    Thu, 30 Jun 1994 16:35:37 +0000
From:    "US ACM, DC Office" <usacm_dc@acm.org>
Subject: USACM Calls for Clipper Withdrawal
                              
                              U S A C M

 Association for Computing Machinery, U.S. Public Policy Committee

                          * PRESS  RELEASE *
 
Thursday, June 30, 1994	

Contact: 
Barbara Simons (408) 463-5661, simons@acm.org (e-mail)
Jim Horning  (415) 853-2216, horning@src.dec.com (e-mail)
Rob Kling (714) 856-5955, kling@ics.uci.edu (e-mail)


     COMPUTER POLICY COMMITTEE CALLS FOR WITHDRAWAL OF CLIPPER 

            COMMUNICATIONS PRIVACY "TOO IMPORTANT" FOR 
                     SECRET DECISION-MAKING

     WASHINGTON, DC - The public policy arm of the oldest and 
largest international computing society today urged the White 
House to withdraw the controversial "Clipper Chip" encryption 
proposal.  Noting that the "security and privacy of electronic 
communications are vital to the development of national and 
international information infrastructures," the Association for 
Computing Machinery's U.S. Public Policy Committee (USACM) added 
its voice to the growing debate over encryption and privacy 
policy.

     In a position statement released at a press conference on 
Capitol Hill, the USACM said that "communications security is too 
important to be left to secret processes and classified 
algorithms."  The Clipper technology was developed by the National 
Security Agency, which classified the cryptographic algorithm that 
underlies the encryption device.  The USACM believes that Clipper 
"will put U.S. manufacturers at a disadvantage in the global 
market and will adversely affect technological development within 
the United States."   The technology has been championed by the 
Federal Bureau of Investigation and the NSA, which claim that 
"non-escrowed" encryption technology threatens law enforcement and 
national security.

     "As a body concerned with the development of government 
technology policy, USACM is troubled by the process that gave rise 
to the Clipper initiative," said Dr. Barbara Simons, a computer 
scientist with IBM who chairs the USACM.  "It is vitally important 
that privacy protections for our communications networks be 
developed openly and with full public participation."

     The USACM position statement was issued after completion of a 
comprehensive study of cryptography policy sponsored by the ACM 
(see companion release).  The study, "Codes, Keys and Conflicts: 
Issues in U.S Crypto Policy," was prepared by a panel of experts 
representing various constituencies involved in the debate over 
encryption.

     The ACM, founded in 1947, is a 85,000 member non-profit 
educational and scientific society dedicated to the development 
and use of information technology, and to addressing the impact of 
that technology on the world's major social challenges.  USACM was 
created by ACM to provide a means for presenting and discussing 
technological issues to and with U.S. policymakers and the general 
public.  For further information on USACM, please call (202) 298-
0842.

   =============================================================


       USACM Position on the Escrowed Encryption Standard


The ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto 
Policy" sets forth the complex technical and social issues 
underlying the current debate over widespread use of encryption.  
The importance of encryption, and the need for appropriate 
policies, will increase as networked communication grows.  
Security and privacy of electronic communications are vital to  
the development of national and international information 
infrastructures.

The Clipper Chip, or "Escrowed Encryption Standard" (EES) 
Initiative, raises fundamental policy issues that must be fully 
addressed and publicly debated.  After reviewing the ACM study, 
which provides a balanced discussion of the issues, the U.S. 
Public Policy Committee of ACM (USACM) makes the following 
recommendations.

  1.  The USACM supports the development of public policies and 
technical standards for communications security in open forums in 
which all stakeholders -- government, industry, and the public -- 
participate.  Because we are moving rapidly to open networks, a 
prerequisite for the success of those networks must be standards 
for which there is widespread consensus, including international 
acceptance.  The USACM believes that communications security is 
too important to be left to secret processes and classified 
algorithms.  We support the principles underlying the Computer 
Security Act of 1987, in which Congress expressed its preference 
for the development of open and unclassified security standards.

  2.  The USACM recommends that any encryption standard adopted by 
the U.S. government not place U.S. manufacturers at a disadvantage 
in the global market or adversely affect technological development 
within the United States.  Few other nations are likely to adopt a 
standard that includes a classified algorithm and keys escrowed 
with the U.S. government.

  3.  The USACM supports changes in the process of developing 
Federal Information Processing Standards (FIPS) employed by the 
National Institute of Standards and Technology.  This process is 
currently predicated on the use of such standards solely to 
support Federal procurement.  Increasingly, the standards set 
through the FIPS process directly affect non-federal organizations 
and the public at large.  In the case of the EES, the vast 
majority of comments solicited by NIST opposed the standard, but 
were openly ignored.  The USACM recommends that the standards 
process be placed under the Administrative Procedures Act so that 
citizens may have the same opportunity to challenge government 
actions in the area of information processing standards as they do 
in other important aspects of Federal agency policy making.

  4.  The USACM urges the Administration at this point to withdraw 
the Clipper Chip proposal and to begin an open and public review 
of encryption policy.  The escrowed encryption initiative raises 
vital issues of privacy, law enforcement, competitiveness and 
scientific innovation that must be openly discussed.

  5.  The USACM reaffirms its support for privacy protection and 
urges the administration to encourage the development of 
technologies and institutional practices that will provide real 
privacy for future users of the National Information 
Infrastructure.

------------------------------

Date:    Thu, 30 Jun 1994 16:34:47 +0000
From:    "US ACM, DC Office" <usacm_dc@acm.org>
Subject: ACM Releases Crypto Study


                Association for Computing Machinery

                           PRESS RELEASE
         __________________________________________________

Thursday, June 30, 1994

Contact:

Joseph DeBlasi, ACM Executive Director (212) 869-7440 
Dr. Stephen Kent, Panel Chair (617) 873-3988 
Dr. Susan Landau, Panel Staff (413) 545-0263

    COMPUTING SOCIETY RELEASES REPORT ON ENCRYPTION POLICY

     WASHINGTON, DC - A panel of experts convened by the nation's 
foremost computing society today released a comprehensive report 
on U.S. cryptography policy.  The report, "Codes, Keys and 
Conflicts: Issues in U.S Crypto Policy," is the culmination of a 
ten-month review conducted by the panel of representatives of the 
computer industry and academia, government officials, and 
attorneys.  The 50-page document explores the complex technical 
and social issues underlying the current debate over the Clipper 
Chip and the export control of information security technology.

     "With the development of the information superhighway, 
cryptography has become a hotly debated policy issue," according 
to Joseph DeBlasi, Executive Director of the Association for 
Computing Machinery (ACM), which convened the expert panel.  "The 
ACM believes that this report is a significant contribution to the 
ongoing debate on the Clipper Chip and encryption policy.  It cuts 
through the rhetoric and lays out the facts."

     Dr. Stephen Kent, Chief Scientist for Security Technology 
with the firm of Bolt  Beranek and Newman, said that he was 
pleased with the final report.  "It provides a very balanced 
discussion of many of the issues that surround the debate on 
crypto policy, and we hope that it will serve as a foundation for 
further public debate on this topic."  

     The ACM report addresses the competing interests of the 
various stakeholders  in  the  encryption debate  --  law 
enforcement agencies,  the intelligence community, industry and 
users of communications services.  It reviews the recent history 
of U.S. cryptography policy and identifies key questions that 
policymakers must resolve as they grapple with this controversial 
issue.

     The ACM cryptography panel was chaired by Dr. Stephen Kent.  
Dr. Susan Landau, Research Associate Professor in Computer Science 
at the University of Massachusetts, co-ordinated the work of the 
panel and did most of the writing. Other panel members were Dr. 
Clinton Brooks, Advisor to the Director, National Security Agency; 
Scott Charney, Chief of the Computer Crime Unit, Criminal 
Division, U.S. Department of Justice; Dr. Dorothy Denning, 
Computer Science Chair, Georgetown University; Dr. Whitfield 
Diffie, Distinguished Engineer, Sun Microsystems; Dr. Anthony 
Lauck, Corporate Consulting Engineer, Digital Equipment 
Corporation; Douglas Miller, Government Affairs Manager, Software 
Publishers Association; Dr. Peter Neumann, Principal Scientist, 
SRI International; and David Sobel, Legal Counsel, Electronic 
Privacy Information Center.  Funding for the cryptography study 
was provided in part by the National Science Foundation. 

     The ACM, founded in 1947, is a 85,000 member non-profit 
educational and scientific society dedicated to the development 
and use of information technology, and to addressing the impact of 
that technology on the world's major social challenges.  For 
general information, contact ACM, 1515 Broadway, New York, NY  
10036. (212) 869-7440 (tel), (212) 869-0481 (fax).

     Information on accessing the report electronically will be 
posted soon in this newsgroup.

------------------------------

Date:    Thu, 30 Jun 94 10:44:15 MET DST
From:    Peter Kaiser <kaiser@heron.enet.dec.com>
Subject: RE: Thank you, France Telecom

> When you push the redial button,
> what number is redialed: the last number that was dialed using your card
> or the last number that was dialed on that phone?

Same airport, same phones: the redial button seems to have no effect when I
insert my card in a phone where I wasn't the last user.  So perhaps it works
only when it recognizes "this card is the last card used in this phone".
But there are other possibilities -- a timeout period, for instance.  And
what happens when you insert a depleted card?  People discard them; can
they still be used to get the last numbers they were used for?

I'm made uneasy by hidden, undocumented, and unexplained features.  Even if
it were to turn out that the algorithm for REDIAL were, for instance,
"permit REDIAL only if the card in this phone is the last one previously
used, and within the last five minutes", I still don't like it that the
phone system has hidden features.  They certainly aren't explained in the
phone enclosures.

___Pete
kaiser@acm.org
+33 92.95.62.97 FAX +33 92.95.50.50

------------------------------

End of PRIVACY Forum Digest 03.14
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH